autofix
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it is designed to retrieve external pull request comments and execute the content of the '🤖 Prompt for AI Agents' section as direct, literal instructions for the agent.
- Ingestion points: PR comments are fetched from Bitbucket via the
bkt pr commentscommand (SKILL.md, Step 3). - Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore malicious content within the injected prompts; instead, they explicitly state to 'follow agent prompts literally'.
- Capability inventory: The agent possesses capabilities to edit files (
Edittool), commit changes (git commit), and push to remote repositories (git push), which could be abused by malicious instructions. - Sanitization: Absent. There is no validation or filtering of the instruction content beyond identifying the specific block.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
bkt(Bitbucket CLI) tool from a personal Homebrew tap (avivsinai/tap/bitbucket-cli). This source is not an official repository of Bitbucket, Atlassian, or the skill author, representing an unverifiable dependency from an unknown third-party source. - [COMMAND_EXECUTION]: The workflow involves the agent executing logic and instructions parsed dynamically from external PR comments. This 'instruction-as-code' pattern allows the source of the comments to control the agent's file system and version control operations.
Audit Metadata